28 May 2018

F5 ASM – Cookie and HTTP Header Tampering

Many
web applications set cookies for user tracking, shopping cart
functionality, and other reasons related to the user experience.
These
cookies have to be secured because if they
are
not properly
protected,
a malicious hacker
could steal or modify cookies for
unauthorized access or
unrequested purchases. Today,
Web
Application Firewalls (WAF)
help us to secure cookies adding cookie
attributes
such as the secure attribute, the HttpOnly attribute, Domain and Path
attributes, Expire and Max-Age attributes, etc as well as WAFs
are also
able
to sign
cookies which
are useful to protect web applications from attacks like Cookie
Tampering or HTTP Request Header Tampering.

Next,
we can watch a video where there is a vulnerable web application to
Cookie Tampering. First, I have modified the cookie and sent to the
web
application successfully. Afterwards, I have protected the web
application from Cookie Tampering attacks
with F5 BIG-IP ASM. Finally,cookie
tampering attacks
are unsuccessfully because
ASM
blocks modified cookies which
has been enforced and signed by
the WAF security policy.
Therefore,
it will be a good idea to know what cookies web applications use to
enforce those which should not be modified on the client side.

Next,
there is another video where the web application is also vulnerable
to HTTP Request Header Tampering. First,
I have modified the referer HTTP Header to take advantage of the
ShellShock vulnerability, which is not blocked. Afterwards, I have
enforced the
attacks
signatures “bash Shellshock execution attempt” and “/bin
execution attempt”. Finally, HTTP Request Header Tampering
attacks are unsuccessfully because ASM detects
malicious
strings,
which are used to exploit the Shellshock vulnerability, into the
referer HTTP Header. Therefore,
it will be a good idea to enforce attack signatures in the WAF
security policy.

To
sum up, we can use a WAF to protect web applications from Cookie
Tampering and HTTP Request Tampering which are attacks difficult to
block by a
traditional network
firewall. In
this post, we have seen that a manually security policy with
Selective Learning for Cookies and Attack Signatures enforced in the
WAF security policy is the best configuration to block sophisticated
attacks, which want to take advantage of Cookies and Other HTTP
Headers to get into web applications.